Compliance: Top tips for data guardians

So how should firms protect data to ensure compliance with DPA and PCI DSS regulations?

The Data Protection Act (DPA) defines personal data as any information pertaining to a living individual, stored either in electronic or paper form, and lays down various rules about that data’s collection for lawful purposes.

The crucial part for IT managers responsible for data storage and retention is that it is not kept longer than necessary, it is kept secure against unlawful or unauthorised processing, accidental loss or erasure, and that it is not transferred to a country outside the European Economic Area (EEA) unless that country itself ensures an adequate level of protection.

In most cases, storage management, backup and archiving applications can be configured to automatically delete files after a period defined by the administrator, and few, if any, calamities stemming from expired data retention periods have surfaced publicly so far.

Many organisations remain wary of transferring data to countries outside the EEA. Where doubts about compliance exist, UK companies have often elected to keep data or databases on-premise while hosting other applications or services elsewhere. This is one reason for the increased corporate interest in hybrid cloud platforms, which support the necessary separation and help allay the associated security concerns.

Some experts argue that fears about hosting data on living individuals off-premise are often unfounded, given that most countries in the EEA do ensure the adequate levels of protection specified by the DPA, and that hosting providers invariably build data protection guarantees into service level agreements (SLAs).

For the most part, IT departments are also on top of their game when it comes to the on-premise data security measures required to avoid data loss, including firewalls to keep out hackers; anti-virus and other anti-malware software to stop data being lost, corrupted or falling into the wrong hands; and efficient user authentication mechanisms to make sure only those with privileges have access to the data in the first place.

Where most organisations have been caught out is in cases where confidential data about individuals has been copied onto portable media – USB sticks or other forms of removable drives, or portable devices such as laptops or smartphones – which are then lost or stolen.

As well as the security measures mentioned above, deploying logging and auditing tools that keep close track of what users do with the data they access, when and where, can help alleviate this to a certain extent, if only by deterring people from doing it in the first place.

But many IT departments believe a simple, all-encompassing way is to encrypt all data, either at source or at some point during its journey from database to end user, so that even if it does fall into the wrong hands, it cannot be read.

“The question is, where do you put encryption – in the database on a public domain or public network, on the laptop hard drive?” asks Richard Moulds (pictured), vice president of product strategy at information systems security specialist Thales e-Security.

“Organisations also need to think about whether they need it in more than one place – in the applications, the database, the web, the call centre etc. There are lots of choices and the cost of deployment varies.”

Though there is no formal compulsion for auditing DPA compliance – the ICO encourages consensual audits and can enforce compulsory audits where it sees fit and where it has already served an assessment notice – many organisations, especially in the public sector, have voluntarily submitted to regular audits to ensure their data is protected and that the necessary security procedures are in place.
Demonstrating PCI DSS compliance is a little more hands-on for those wanting to do so, with companies in the US more keen than those in the UK and Europe.

Merchants and service providers processing smaller volumes of credit card transactions (fewer than 20,000 a year) are required to fill out the appropriate
self-assessment questionnaire (SAQ), downloadable from the PCI Security Standards Council web site, and pass quarterly remote vulnerability scans conducted by an independent scan vendor (usually a software security company) approved by the credit card companies.

Any organisation handling greater volumes of transactions has to be assessed by a qualified security assessor (QSA), which will conduct regular vulnerability assessment scans and analyse all externally facing IP addresses that may transmit credit card information.

The PCI Security Standards Council is keen to point out that simply installing security software will not make an organisation PCI DSS-compliant and urges firms to focus on the “big picture”, or an overarching security infrastructure that covers all elements.

In many ways, practical security measures for PCI DSS compliance mirror those required to comply with the DPA: regularly updating anti-virus software, developing and maintaining secure systems and applications, restricting employee access to cardholder data on a need-to-know basis, for example. It also involves encrypting the transmission of cardholder data across open, public networks, using a number of different methods, though encrypting all information at rest within the database is optional.

“In many ways the process of scrambling data is almost commoditised, but the issue now is how to devise policies around storing and backing up encryption keys, and that is more about training and organisational policies,” says Moulds. “If you encrypt all your data, and you either lose the keys or they become unavailable, access to that database is going to be lost.”

Rob Rachwald, director for security strategy at data protection vendor Imperva, says companies can also alter the code in their existing transactional applications and/or deploy a specialist web application firewall (WAF), which protects e-commerce transactions.

“PCI does not stipulate if you review the code manually or with automated tools, though if you go with automated tools you still have to go through a manual process to double check, plus it is a temporary fix,” says Rachwald. “A WAF is always on, quick to install and a lot cheaper.”

Nor does outsourcing responsibility for data security provision automatically make an organisation compliant, according to the PCI: policies and procedures for cardholder transactions and data processing must be addressed, including charge-backs and refunds. Individual organisations must also make sure that providers’ applications and card payment terminals comply with the PCI standards and do not store cardholder data, and request a certificate of compliance annually from providers.